Five Eyes intelligence agencies have issued a joint advisory warning that cyber threat actors are actively exploiting vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. These vulnerabilities (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) impact all supported versions and allow malicious actors to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges.
Of particular concern is the exploitation of Ivanti's Integrity Checker Tool (ICT), which fails to detect compromise, allowing cyber threat actors to gain root-level persistence even after factory resets. The advisory recommends specific actions for mitigating threats, including limiting outbound internet connections, keeping operating systems and firmware updated, and restricting SSL VPN connections to unprivileged accounts.
Network defenders are urged to assume that user and service account credentials within affected Ivanti VPN appliances are likely compromised. Organisations should hunt for malicious activity using provided detection methods and indicators of compromise, run Ivanti's most recent external ICT, and apply patching guidance. Due to the risk of sophisticated threat actors deploying rootkit-level persistence, organisations are advised to carefully consider the decision to continue operating Ivanti Connect Secure and Ivanti Policy Secure gateways in an enterprise environment.